IP tables are randomly blocking Internet connection when using open VPN
Hello everyone.
I hope this is the right place to post my question.I am running Raspbian (Debian) on my raspberry pi. it is connected to a VPN server, and I have had help to create these IP table rules, which I have put into: the /etc/rc.local file.this is the only way I could make the IP table rules, persistent and still have Internet connection when my system start up. but the problem is that my systems outgoing connection (not lan), is getting blocked once or twice every day.if I restart the system, then I have an outgoing connection.but it is really frustrating, that I have to restart my system a couple of times every day.And not knowing when I have to restart. here are my IP table rules: Code:
#!/bin/sh I have also tried adding my VPN providers host names in the allow.host file.but this didn't change anything. I really hope someone has an idea to what I can do.this problem has been bugging me for a year now, and I have heard a lot of positive things about this site. Fingers crossed and thanks for reading my post. |
First of all, are all outgoing connections blocked or only the openvpn tunnel?
Check system logs for messages, we need to see exactly what happens. Quote:
Quote:
But that ip (remote vpn servers) is hardcoded in the config file, right? If not, if some way the ip is written to the config file at bootup, here you have the problem. If the ip is hardcoded in the openvpn config file, then why that line "/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT"? |
You are making the usual firewall mistake of blocking all ICMP packets, and thus creating communication problems which ICMP is designed to smooth out. Allow them.
I can't say for sure that this is causing your problem - but it certainly isn't helping ;) |
Thank you for your reply.
Quote:
Earlier I have used this command to log problems with the VPN tunnel: tail -F /var/log/syslog I will Give you the output of this command as soon as the connection drops. Quote:
When I used this package with my rules, I did not have an outgoing connection through the VPN tunnel, and a reboot didn't solve that.that is why I thought it wouldn't make a difference with the iptable-save. Quote:
Quote:
iptables -L -n I am getting a whole lot of different IP addresses from my VPN host. But the funny thing is, that if I run my system without IP table rules, and of course connected to my VPN service, I am getting an stable connection and I don't need to restart now and then.I also have a list of all the IP addresses my VPN service offers. but I don't know how I can use that to solve my problem. I hope I have made myself understandable. I am not that fluent in Linux, so please Bear over with me! Looking forward to hear your response. |
Hi brebs
I have never heard about ICMP packets before. could you tell me how I write these rules? And where should I place them in my IP table rules? Could they look like this? /sbin/iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT |
Ahaa! :)
I think I've got it, your VPN service has multiple ip's to use for it's tunnels and at random intervals the ip you connect to changes. But you say you have a list of all the IP addresses your VPN service offers, so why not just add all those to your iptables rules? It won't really compromise your security. Quote:
As for ICMP, if you need extremely high security you don't respond to ping, but normally I agree with brebs you should allow it / respond. So add: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT (Can't test it right now, but I think I got it right.) As for Quote:
|
And of course, if all vpn-remote addresses already are allowed, give us this:
The result of iptables -L *when everything works* and the same when vpn is blocked. You have public ip's there so maybe you don't want to post them. But just compare for yourself the output of "iptables -L" before & after, and compare it with the list of vpn addresses you have. |
Okay, let's say you are right about the IP addresses.but where in the list of rules would I put them, and how would they look like?
Also for the ICMP rules, where Do I put them in? It is not because I am lazy and do not want to Google this, but it is just too complex for me to understand.but I hope you are right about the IP addresses...seems logic :-) |
No, you're both missing the point about ICMP. The "echo" part of ICMP is insignificant. Destination unreachable is *far* more important.
Just google "icmp blocking", and read e.g. this. Rate-limit ICMP if you're paranoid, but if you're *normal*, then just allow *ALL* ICMP through. Or point to an actual present-day vulnerability regarding ICMP (ignoring the boring DoS) ;) |
Quote:
|
Okay, I now have an error log:
Code:
root@raspberrypi:/home/pi# tail -F /var/log/syslog iptables – L –n And I compare the IP addresses from when the tunnel was blocked, and when I had just restarted the System and the VPN was working. each output gave me 17 different IP addresses, and they were exactly the same in both incidents. So what does this log tell you? |
|
192.168.1.1 is your DNS server according to those logs (port 53 UDP). In your iptables-rules you don't list allowing port 53 at all. The log specifically says you're blocking outbound DNS.
Code:
iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m state --state NEW -m udp --dport 53 Code:
iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT Where is 192.168.1.1? Is it an interface on the same box as these iptables rules and VPN host? If so your rule should look something like this. Code:
iptables -A INPUT -p udp -s 192.168.1.0/24 --m state --state NEW -m udp --dport 53 Code:
iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT Code:
iptables-restore < /etc/iptables.rules |
Quote:
Code:
Curl ifconfig.me The IP address: 192.168.1.1 is my router.so what do you make of that? I will have a look at your blog post.I just hope that I am able to understand any of it.:-) Quote:
Sorry about all the questions..:-) |
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 07:08 PM. |